Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Instructions for creating key pairs and certificates for use with AUTOSOL Edge products. Prerequisite:

OpenSSL is installed and in your system PATH.

For Debian Linux, you may check to see if openssl is installed and on your PATH using the which command:

$ openssl which

Where the expected output is the file path where openssl is installed. Example:

$ which openssl
/usr/bin/openssl

If openssl is not installed, you will see nothing. The most straightforward way to install openssl in Debian is by using the package manager:

sudo apt-get update && sudo apt-get install openssl

Once openssl is installed you can create your certificate chain.

How you create your certificate chain depends on your desired security posture. There are two options:

...

TLS with Server Certificate Authentication

...

Note

AUTOSOL does not provide this information for use as a source of security advice or best practices.  The use of these examples is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities.

Steps for Creating Certificates for

...

Client Authentication

For this step, the server client (the brokereACM MQTT app, Bridge, Edge Manager, etc.) authenticates to the client server with a certificate before the TLS connection is fully established. The client does not authenticate This takes place after the server has authenticated to to the broker with a certificate, but may do so through other means (password, etc.).

The outputs for this process are:

...

ca.key file - to be kept private to (this) system that generated it.

...

ca.pem file - public certificate authority (self signed) certificate, to be distributed.

...

client with its own (server) certificate.

Info

All of the steps under “Steps for Creating Certificates for Server Authentication” must be completed first before proceeding.

Create one key pair and one certificate for each uniquely identifiable client desired.

Whether you create one client certificate to share among your MQTT clients -or- each MQTT client has its own certificate is dictated by your organization’s IT security posture.

Info

Repeat this process for each key pair and client certificate that your logistics and security posture dictate.

The outputs for this process are:

  • client.key - to be kept private to where the MQTT broker client(the TLS server) resides.

  • server.pem file - public server certificate, to be distributed to the MQTT broker.

One or more server certificates can be created, one for each MQTT broker. The server certificate contains the IP or hostname of that server. During TLS session establishment, the TLS client (eACM-MQTT, Bridge, Edge Manager, etc.) will compare the IP or hostname that it is connecting to with the CN (Common Name) presented by the server certificate. If there is a match, the TLS client will attempt to connect to the server. If not, the TLS client will drop the connection and regard it as unverified and untrusted. You may choose to break this rule by unchecking the “Verify Certificate” box (not recommended).

...

  • s) that use the key pair for authentication

  • client.pem - public client certificate used for authenticating to the server (the MQTT broker)

The inputs for this process are:

...

...

  • Password for caclient.key

  • Common Name (optional)

  • Password for server.key (optional)

The exact steps in this process can be varied according to your needs. What follows is an example.

Create the key pair (ca.key) used by your certificate authority. To protect it with a password (you will be prompted):

Code Block
openssl genrsa -aes256 -out ca.key

To create ca.key without a password:

Code Block
openssl genrsa -out ca.key 2048

Create the self signed certificate authority certificate (ca.pem). If you used a password when creating ca.key, you will be prompted for it.

Code Block
openssl req -new -x509 -days 3650 -extensions v3_ca -key ca.key -out ca.pem -subj "/C=US/ST=Texas/O=THIS_COMPANY INC/CN=John Smith/emailAddress=johnsmith@gmail.com" --outform PEM

Create the key pair (server.key) used by your broker.

It is important to note that this step can (and probably should) take place where broker is installed and kept private there.

To protect it with a password (you will be prompted):

  • CN) to identify your client certificate (optional). MQTT brokers can be configured to authenticate using the CN in the Subject field.

Create client.key. You will be prompted for a password.

Code Block
openssl genrsa -aes256 -out server.key

To create server.key without a password:

Code Block
openssl genrsa -out serverclient.key 2048

Create the certificate signing request for the server client (the brokerMQTT client), serverclient.csr. If you created ca.key on a different machine, you will need to copy serverclient.csr to that machine.If you protected server.key with a password, you

You will be prompted for the password used when creating client.In this example, you will need to substitute 10.3.0.11 with the IP or hostname of your broker’s server for TLS verification to work correctlykey.

If your broker is configured to authenticate based on the CN section of the Subject field, substitute MyEACM for something else that meaningfully identifies that particular MQTT client or its permissions role on the broker.

Code Block
openssl req -out serverclient.csr -key serverclient.key -new -subj "/C=US/ST=Texas/O=THIS_COMPANY INC/CN=10.3.0.11MyEACM/emailAddress=johnsmith@gmailname@company.com" --outform PEM
Info
The server certificate’s CN field should match the hostname or IP of the MQTT broker.

Create the server client certificate (serverclient.pem). The step must take place where you have your ca.key. The serverclient.csr and ca.pem files are also required. If you used a password when creating your ca.key, you will be prompted for it.

Code Block
openssl x509 -req -in serverclient.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out serverclient.pem -days 3650 --outform PEM

You now have all the files required to configure your client and server (broker) for TLS authentication.

...

You will need to provide ca.pem to both your client and server.

...